Splunk Search

How to extract Time and User from events using regex?

uayub
Path Finder

The following events are filtered by Snare and sent to Splunk from Windows Servers:

Server.egcorp.com MSWinEventLog 1 Security 255931 Tue Jul 01 02:56:52 2014 528 Security JOHN User Success Audit Server Logon/Logoff Successful Logon: User Name: JOHN Domain: egcorp Logon ID: (0x0,0xC8BCFD2) Logon Type: 2 Logon Process: User32 Authentication Package: Negotiate Workstation Name: Server Logon GUID: {122ff468-2a7e-bd13-abfc-3dbf4c3ac3d4} Caller User Name: Server$ Caller Domain: egcorp Caller Logon ID: (0x0,0x3E7) Caller Process ID: 532 Transited Services: - Source Network Address: 127.0.0.1 Source Port: 0 255930

Objective: To extract the Time and the User from these events using regex to filter these two fields.
Result:
Jul 01 02:56:52 2014 JOHN

Thanks

W

Tags (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

This regex string should do the trick.

(?:[\S]+ ){6}(?<DateTime>\S+\s\S+\s\d+:\d+:\d+\s\d{4})[\s\S]*?Name:\s(?<User>\S+)\s

Full Query

(server02 OR server01) AND 528 | rex "(?:[\S]+ ){6}(?<DateTime>\S+\s\S+\s\d+:\d+:\d+\s\d{4})[\s\S]*?Name:\s(?<User>\S+)\s" | table DateTime User
---
If this reply helps you, Karma would be appreciated.
0 Karma

uayub
Path Finder

After adding the "*", it shows all fields including DateTime and User - but these fields are blank. The rest of the fields have valid data.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I've never known these boards to change text like that. Perhaps putting backticks around the pasted text will help.
Does adding a '*' to the table command show any fields have been parsed?

---
If this reply helps you, Karma would be appreciated.
0 Karma

uayub
Path Finder
  • (server02 OR server01) AND 528 | rex "(?:[\S]+ ){6}(?\S+\s\S+\s\d+:\d+:\d+\s\d{4})[\s\S]*?Name:\s(?\S+)\s" | table DateTime User

In the Search all look correct. Only when I paste it in the Splunk Community page it comes different. Still no results are shown. I think the regex is not matching any user in the events.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Look closer. 'datetime' <> 'DateTime'; 'user' <> 'User'

---
If this reply helps you, Karma would be appreciated.
0 Karma

uayub
Path Finder
  • (server02 OR server01) AND 528 | rex "(?:[\S]+ ){6}(?\S+\s\S+\s\d+:\d+:\d+\s\d{4})[\s\S]*?Name:\s(?\S+)\s" | Table DateTime, User

It looks correct to me.. perfect matching case too

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Remember that Splunk is case sensitive. The field names in the stats and table commands must match those in your rex string exactly.

---
If this reply helps you, Karma would be appreciated.
0 Karma

uayub
Path Finder

After applying this , the EVENTS shows the entire raw events but the STATISTICS shows no results.. am I missing something ...

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Add this after the search. "| table DateTime, User"

0 Karma

uayub
Path Finder

I tried:
* (server02 OR server01) AND 528 | rex "(?:[\S]+ ){6}(?\S+\s\S+\s\d+:\d+:\d+\s\d{4})[\s\S]*?Name:\s(?\S+)\s"

and I just go the raw events:

0 Karma

uayub
Path Finder

RICHGALLOWAY - Sorry I misunderstood your question. The event that I listed above is in-fact just one event. But splunk receives multiple such events.

0 Karma

uayub
Path Finder

The time stamps of Splunk and the event might not be the same.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If that's multiple events then you'll have trouble using just regex to get your fields. I see a date only in the first event and a user name only in the second (twice). To parse these, you'll first need to combine them using a common field.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Richfez
SplunkTrust
SplunkTrust

Does the time stamp Splunk has found match your time string in the data? If so, can you use that for your time?

0 Karma

uayub
Path Finder

Multiple events

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Is that a single event you cited or multiple events?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...